Hi Claudia,
I'm not aware of any document I could point you to that describes in
detail the DCT2000 .out format. I'm not even sure what all of the
fields do, and in the interests of forward-compatibility tried to make
the parsing not rely upon finding fields I wasn't using.
You may know that the -a flag in the DCT2000 'dctprint' command or the
corresponding menu item in 'logviewer' can show absolute time (the full
time within that day) while decoding the .out file. The time will
always be stored in relative time in the .out file.
Ethereal can show the absolute timestamp of each packet. And you can
merge 2 or more .out files together using mergecap (-F dct2000 -T
dct2000) or the File | Merge... function in ethereal. While saving the
.out file the wiretap module rewrites the timestamp of each packet
calculated relative to the absolute start time of the capture (which
will be taken from the file with the earliest start-time).
What won't work properly is if you try to set an earlier time using
editcap, as it currently doesn't handle re-writing new times
and won't parse -ve relative times....
Hope this helps,
Martin
Claudia Becker wrote:
Hi Martin,
is it possible to get detailed information about the DCT2000 format?
I'm especially interested in the time format. Is it possible to give each
packet an absolute timestamp and not only a timestamp that is relative to
the time in the second line of the file?
Best regards
Claudia Becker
-----Urspr�ngliche Nachricht-----
Von: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx]Im Auftrag von Martin
Mathieson
Gesendet: Mittwoch, 12. April 2006 19:14
An: Ethereal development
Betreff: [Ethereal-dev] [Patches] Wiretap support for Catapult DCT2000
.out files
Hi,
This attached patch and new files provide support for Catapult DCT2000
.out files to wiretap and ethereal.
This wiretap support (catapult_dct2000.c+h) appends a short header to
each packet giving some context, and a corresponding ethereal dissector
(packet-catapult-dct2000.c) parses this before passing the real payload
onto an existing ethereal dissector (for ethernet, ip, lapd, ppp,
frame-relay,...).
For now, there is only support for saving dct2000 files in their own
format, although I may add support for converting between dct2000 and
libpcap later.
I've also attached a short capture file (test.out) used to test each of
the supported link-type protocols. I know some of these messages show
as malformed (they are mostly taken from low-level protocol tests), but
they are enough to illustrate/verify the mapping between DCT2000
protocols and ethereal dissectors.
I've tested this with quite a few test files (I work at Catapult), and
reading/writing/merging works well for me. I've also done some testing
with mergecap and editcap (encap string is "dct2000") which seems to
work. This is the first wiretap module I've added, so any
comments/suggestions are very welcome.
Best regards,
Martin
P.S. the diff file contains small, unrelated RTCP dissector changes,
could these please be applied too...?
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev